Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3181
Views
0
Helpful
4
Replies

Cisco FMC/FTD Breaking HA

IamSamSaul
Level 1
Level 1

‎09-17-2021 12:32 PM - edited ‎09-17-2021 12:35 PM

Hi there, 

 

I got a Cisco vFMC with two Cisco Firepower configured as HA pair. At present the Secondary unit is Active. We got an issue with the Primary unit and have to perform factory-reset. I got a couple of questions:

 

1) Do I have to break the HA configuration first and then reset the unit? Or I can perform a reset while the HA configuration is intact.

 

2) If I have to break the HA configuration (while the Secondary unit is Active), what will happen? Does the Secondary Active unit continue to function without any disruption?

 

I hope someone can help me with this issue. Any suggestion or advice will be highly appreciated.

 

Regards & Thanks, 

Sam

0 Helpful
4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:36 PM

Hi @IamSamSaul,

If you have backup of your FTD device, then follow the guielines from here.

If you don't have backup, then you can find guidelines here.

One note - I always like to hardcode MAC addresses because of this, as in HA, primary device is providing MAC address for active unit. If replaced, new primary unit will provide new MAC address, which can cause interruptions. For this reason, I always hardcode them, so I don't really care which unit is primary, as no physcal addresses are in use. I would advise to configure currently active MAC as primary before you proceed with rebuilding units (although I'm not sure you would be able to deploy new policy while one device is down).

BR,

Milos

0 Helpful

IamSamSaul
Level 1
Level 1
In response to Milos_Jovanovic

‎09-17-2021 02:23 PM

Hi Milos,

Thanks for your reply.

I don't have the latest backup. I'm not going to replace the unit. After
upgrading the unit I can't log into the cli. I read that I have to factory
reset the unit. Do I still have to hard code the MAC address because it
will be the same unit?

Regards,
Sam
0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to IamSamSaul

‎09-19-2021 10:46 PM

Hi Sam,

Since you'll be using same device, I believe you don't need to hardcode MAC address this time, however, I would still advise it. This time you will just reimage device, but next time it might be HW replacement.

BR,

Milos

0 Helpful

vashan
Level 1
Level 1
In response to Milos_Jovanovic

‎10-20-2021 03:17 PM

Hi Milos.

 

I am facing the same problem on Device1. Can you describe the steps you used to fix the problem?

 

Description of my case:

I have two Cisco Firepower 2110 in HA Configuration. I tried to perform version upgrade from 6.4. to 6.6. I got Device2 (Standbyd device) upgraded to 6.6. But the Device1 (Primary) failed the update. And the Device1 i showing up in maintenance mode after i manually rebooted Device1 after upgrade failure. I cannot access the device using SSH. I can ping the management IP. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card